Rapid7 Blog

UserInsight's New User Statistics Provide Great Visibility for Incident Responders

POST STATS:

SHARE

Nate Silver made statistics sexy, and we're riding that wave. But seriously, breaking down some of the more noisy alerts on the network by users and showing you spikes can really help you detect and investigate unusual activity. That's why we've built a new UserInsight feature that shows you anti-virus alerts, vulnerabilities, firewall activity, IDS/IPS alerts, and authentications by users that show the most activity and enable you to dig in deeper by filtering by user. You can get to the new stats page by clicking on the Active Users link on your UserInsight dashboard:

What you'll see is the stats for five different data types:

Virus Alerts: Most security professionals see anti-virus solutions as a protective solution for mass malware rather than a detection solution. However, we believe there is some value to this much-bashed data when you apply statistics to them and break them down by user. In our demo system, the user Shawna Roy popped up at the top of the list with 65 virus alerts. By clicking on the little graph icon on next to the name on the right, you can display the data for this user only (and add additional users to the chart by clicking their icon). Shawna saw 30 alerts on August 14, which is probably worth investigating. By clicking on the name itself, you can get more context on Shawna's activities, such as assets and cloud services she authenticated to, applications she accessed, and locations she logged on to the network from. This may show other indicators of compromise that can be helpful in triaging this statistical outlier.

Exploitable Vulnerabilities: Slicing vulnerability data by CVSS score, exploitability, and critical hosts is something security professionals are very familiar with. However, most security programs can't provide visibility by user, which can be important in the context of phishing and other social engineering campaigns that target client-side vulnerabilities. The more exploitable vulnerabilities a user has, the more attack surface cyber-criminals have to work with. The new UserInsight vulnerabilities user stat feature shows you which users have the most exploitable vulnerabilities and warrant a second look to ensure that a security program is prioritizing the right vulnerabilities for remediation. It can also help give context of the likelihood that an attack against a certain user successfully exploited their machine.

Firewall Activity: Firewall activity is very noisy, especially if you don't just take denies but all traffic. In the following example, Joshua Green had a million firewall connections in a single day, which is clearly an outlier when we filter for this user. This is definitely worth investigating, since it may be a sign of a malware/botnet infection that is scanning the Internet or participating in a DDoS attack.

IDS: IDS/IPS data is also extremely noisy data. One customer we spoke to has 20,000 alerts per day, making it impossible for him to investigate every single one. Providing user context can also greatly increase visibility and help make sense of the data. Check out Matt's blog post on canceling noisy alerts, which covers a lot of this topic already.

Authentications: Both successful and failed authentications can provide a lot of visibility into what's happening on your network. Accounts with many successful authentications can be legitimate or a cause for concern. There will be some obvious accounts, such as your vulnerability scanner or a backup solution that logs onto many devices many times, but there may also be accounts that should not exhibit this type of activity. You may discover that a user account is being abused as a service account, for example, which is not a best practice. Failed authentications may point you to a brute force attack on a certain user, or show you an issue with a device using an outdated password.

Check out the new user stats page and let us know if you discover a use case that we're not listing here, or a new stat you'd find useful. The feature is already live in your UserInsight environment. If you don't have UserInsight yet, please sign up for a free guided demo and chat with us about a proof of concept in your environment to detect and investigate incidents.

AUTHOR

Want more? Don’t miss these posts

If you've even been to the BlackHat conference in Vegas, then the European version is kind of like that except much, much… much smaller. Did I mention it was much smaller? The business hall consisted of about dozen vendors including Rapid7. We spent two…

Do you need an insider threat program? It's a good question - one that more companies are considering as compromised users become an increasingly popular attack vector, and malicious user behavior becomes more prevalent. In this week's Whiteboard Wednesday video, we weigh some options on…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.